Blog

Some Android Phones Lacking Vital Security Patches, Despite Claims That They Were Installed

Some Android phone manufacturers are deceitful to their customers, according to a security outfit located in Germany. Researchers at Security Research Labs or SRL looked into companies including Samsung, HTC, Sony, ZTE, TCL, Motorola, and Google. They discovered that some of these companies aren’t installing crucial Android security patches, even though the phones say that the patch was installed.

The researchers looked into firmware on 1,200 different phones and searched for every patch released for the Android operating system in 2017. They came to some interesting discoveries about device security. With the exception of both the Google Pixel and Google Pixel 2, they found that some of the high-end flagship devices did not have all of the available Android security patches installed. The phones said that the updates were installed, which left users thinking that their devices were safer than they are, and might have triggered questions about smartphone repair.

KarstenNohl, the founder of SRL, mentioned that it’s expected for a manufacturer to miss a patch or two throughout the year. They discovered that the Samsung J3, released in 2016, was missing 12 patches. Two of the 12 were designated as critical updates by developers.

Manufacturers aren’t the only ones to blame for the lack of proper security and updates. Chip makers shoulder some of the blame too. Phones utilizing a MediaTek chipset had an average of 9.7 missed patches, likely due to the cheaper phones using less expensive chipsets. These aren’t as likely to update as often. Nohl notes that if you purchase a more affordable device, you’re accepting that your phone might not update as much as pricier models. Less frequent updates mean that your phone isn’t as secure as it could be compared to other devices running the same version of Android.

Google responded by saying that some devices aren’t Android certified, which means that they don’t conform to Google’s established standards of security. Manufacturers also have the option of removing a feature instead of patching it. Google and SRL are working together to learn more about what the tests revealed. The top offenders, with more than four patches missed, were manufacturers ZTE and TCL. Huawei, LG, Motorola, and HTC followed with three to four patches missed, and Xiaomi, Oneplus, and Nokia were only missing from one to three. The only companies with zero or one patch missed were Google, Samsung, Sony, and Wiko.